Quiz Flashcards
what is iptables used for
host based IP filtering
the following command tells you what?
grep ^$ file1.txt | wc-l
There are 30 blank lines in file1.txt
What is the expected output of the following command:
grep -v ‘^$’ message.txt
any line that is not a blank line in message.txt
Right now I can’t use ‘sudo’, what file needs to be updated to allow a regular user to run commands
/etc/sudoers
When working with a disk image containing an MBR, most Sleuthkit commands require information provided by what commands?
fdisk or mmls
In the following command what does the ‘.’ signify?
find . -name ‘myfile.txt’
start in current directory
What are the differences in systemd and BSD style init systems
systemd uses targets while BSD init uses runlevels
BSD runs linearly
systemd runs parallel
BSD uses text based
systemd uses binary system
Given the below forensic image containing two NTFS partitions, what will the following command display?
mmls suspect_image.raw
The offsets to each file system in the image
What is the sed command most often used for?
editing a stream of data, usually in ascii
What was Bash designed to be
A replacement to the original UNIX Bourne shell
In Regex, what symbol means “zero or one of the preceding characters?
?
- zero, one or more
+ - one or more
‘' - match previous or next character/group
- zero, one or more
What is the only linux distribution suitable for digital forensics?
all linux distributions can be configured to work for digital forensics, depending on the investigators needs
What file do you need to restart a ddrescue acquisition
map file
What information would you expect from the fls - Frd command
Example: fls -o 10260 -Frd able2.dd
-F (only files entries)
-d (deleted entries)
-r (recursive)
r/r - indicates the file type (r-regular, d-directory)
* - indicates the
file is deleted or unallocated,
Output:
r/r * 10063: var/log/xferlog.5
r/r * 10063: var/lock/makewhatis.lock
r/r * 2139: dev/ttYZ0/lrkn.tgz
d/r * 10071(realloc): dev/ttYZ0/lrk3
The first 10 characters of ‘ls -l’ are reserved for what information?
Example:
brw-rw—-
File type information and read(4)/write(2)/execute(1) permissions
the object is a block device file with permissions 660
True/False: lsblk will not show a flash based storage device because flash based devices are not recognized by the SCSI driver
False
Given a data block from a file system containing interesting text, I can determine the metadata entry (MFT entry, inode, etc.) that points to that data block using what command?
ifind with the -d option
What does the dd command do?
-can be used to restore a hard drive to a previous state, given a dd image previously collected from the same hd
-can be used to acquire disk images
-can be used to copy a file from one location to another
What information will be displayed when you add a metadata entry number to the fls command
display the contents of that directory / metadata entry number
What are the permissions for the octal value 774
rwxrwxr–
What does this command output:
xxd image.dd | grep ‘aad9bcf3’
it will output the occurrences of ascii ‘aad9bcf3’ if it is located in xxd output
what does the command ewfexport do
exports a virtual fuse mounted raw image
take an EWF file set and convert it to a bit stream image file, essentially removing the meta data and leaving us with the data in raw format, as with dd.
What command can be used to associate multiple partitions in the image to separate loop devices
losetup -Pr image.raw
losetup -P maps partitions within an image to separate loop devices that can then be mounted the same as any other volume
What command obtains a serial number from a USB flash drive
lsusb -v
What does the following command output:
grep -i ‘it’ thinking.txt
strings containing ‘IT’, ‘it’, ‘It’
-i = case insensitive
What is the following command doing:
dc3dd if=/dev/sda | nc 192.168.55.18 2020
dc3dd is imaging /dev/sda device, on the source computer, and porting over the extracted data to IP address on port 2020
the collection/receiving computer has an open nc connection on port 2020
What is an advantage of using dc3dd over dd
dc3dd has logging and hashing capabilities built in
What are the commands used to install software “from source”
’./configure’ command sets environment variables and enables or disables program features based on available libraries and arguments
‘make’ command compiles the program
‘install’ command moves the compiled executables
sboinstall - installs from packages
To install a Slackware package, when we are not using the slackpkg front end, we use the pkgtool command installpkg
What will the blkcat command output
directly stream the contents of a data block you specify
What command will identify a file system on a block device (/dev/sdc1)
file -s /dev/sdc1
The output from what command can be piped into another command to calculate the hash, check a file type, or view contents
icat
What command should be used to stream contents of data blocks associated with a particular metadata entry
icat
What does the d input indicate in the following command
ifind -o 2048 -d 232989 image.raw
the -d input is associated with a data block / inode
a data block from the file system at offset 2048 from image.raw
What command can be used to identify file system blocks associated with a metadata entry
istat
What command will show all the lines in file file2.txt that contain the string ‘McDonald’
grep ‘McDonald’ file2.txt
grep -i mcdonald file2.txt
Given the hexadecimal number “0xCCE4F8”, the commands “echo $((cce4f8)) and “echo ‘ibase=16;cce4f8’ | bc” would output what
an incorrect value
correct command would be
echo “ibase=16; cce4f8” | bc
echo $((0xcce4f8))
What grep expression would match the following output:
201981131:15:46:15 log entry created
^[[:digit:]]{8}
What do package managers allow a user to do?
Keep track of what packages are installed
they do not install optional dependencies by default
What command will mount a split raw image file and access it as a single raw image
affuse
What command will recursively list only the unallocated files of a directory with an MFT number 44 contained in image.raw with file system starting at 2048
fls -o 2048 -Frd image.raw 44
What command will result in a loop device that contains only the NTFS volume at offset 59
losetup -o $((59*512))
What command can be used to check to see if a disk has been wiped (with all 0’s)
xxd -a /dev/sdd
What is a benefit of using a package manager compared to downloading source code
package manager keeps track of what has been installed
downloading from source allows for customization
What command can be used to show kernel messages to detect devices
dmesg
What is the following command doing if /dev/sdd is a 4G drive:
dc3dd if=/dev/sdd ofs=image.000 ofsz=2G log=image.log
a forensic image image of device with images image.000 and image.001
What directory usually contains system binary files that are run by root
sbin
What is true about md5sum and sha1sum
You can has data coming through netcat pipe
they can’t be used to compress files
cannot use hash value to recreate a file
What does the -exec parameter of the find command do
execute the following command on every file found
A correct fls -Dd command will accomplish what?
A list of deleted directories but not deleted sub-directories of deleted directories (not recursive)
How would you unmount a volume mounted at /mnt/analysis at /dev/sdb1
umount /mnt/analysis or umount /dev/sdb1
